Researchers at cloud security startup Orca Security have publicly documented a pair of vulnerabilities in AWS CloudFormation and AWS Glue that attackers could use to leak sensitive files or access other customers’ data.
The first of the security flaws is described as an XML External Entity (XXE) error that could have been exploited to leak sensitive files stored in the CloudFormation service, as well as to disclose credentials for internal AWS infrastructure services.
CloudFormation is a service that helps users provision AWS resources using templates and to create and configure resources dynamically using API calls.
The XXE vulnerability could have allowed attackers to read files and perform HTTP requests on behalf of a compromised CloudFormation server, according to an advisory from Orca Security.
[ READ: Remote Code Execution Vulnerability Found in AWS WorkSpaces ]
The host contained multiple AWS service binaries and various configuration files and an attacker could have leveraged the data (including credentials for internal endpoints) to bypass tenant boundaries and gain privileged access to any resource in AWS, the company warned.
The vulnerability was addressed on September 15, 2021, one week after Orca Security reported it to the AWS security response team.
Impacting the AWS Glue service, the second vulnerability could have been used to create resources and access the data belonging to other AWS Glue customers. The exploitation process, however, was complex and required multiple steps.
[ READ: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns ]
The issue could allow an attacker to obtain credentials providing them with full access to internal service API, and then leverage an internal misconfiguration in AWS Glue – a service helping users easily discover and combine data for analytics, application creation, and machine learning – to gain “unrestricted access to all resources for the service in the region, including full administrative privileges,” Orca Security explained.
Successful exploitation of the bug could have allowed an attacker to assume roles in AWS customer accounts trusted by the Glue service, and query and modify AWS Glue service-related resources.
“We are aware of an issue related to AWS Glue ETL and AWS CloudFormation and can confirm that no AWS customer accounts or data were affected. Upon learning of this matter from Orca Security, we took immediate action to mitigate it within hours and have added additional controls to the services to prevent any recurrence,” and AWS spokesperson told SecurityWeek in an emailed response to this article.
*Updated with comment from AWS
Related: Remote Code Execution Vulnerability Found in AWS WorkSpaces
Related: Amazon to Offer Free Cybersecurity Training Materials, MFA Devices
Related: Amazon Sidewalk Mesh Network Raises Security, Privacy Concerns
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
